Advisories for Npm/Vega package

Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling this.foo(this.bar), DOM XSS can be achieved. In practice, an accessible gadget like this exists in the global VEGA_DEBUG …

Calling replace with a RegExp-like pattern calls RegExp.prototype[@@replace], which can then call an attacker-controlled exec function.

In vega 5.30.0 and lower, vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.

The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in vega.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vega.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vega.

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine.